{"id":47310446,"url":"https://github.com/jenkinsci/secone-security-scanner-plugin","last_synced_at":"2026-05-18T15:01:07.649Z","repository":{"id":258461707,"uuid":"873815103","full_name":"jenkinsci/secone-security-scanner-plugin","owner":"jenkinsci","description":"The Sec1 Security plugin provides both SCA and SAST capabilities, enabling teams to scan SCM repositories for open-source vulnerabilities and analyze code to detect security issues early in development.","archived":false,"fork":false,"pushed_at":"2026-03-12T13:21:02.000Z","size":230,"stargazers_count":1,"open_issues_count":0,"forks_count":1,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-12T14:43:53.479Z","etag":null,"topics":["devsecops","foss","sast","sca","sec1","secone","security","security-scanner"],"latest_commit_sha":null,"homepage":"https://plugins.jenkins.io/secone-sca-sast-security-scanner/","language":"Java","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jenkinsci.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"community_bridge":"jenkins","custom":["https://www.jenkins.io/donate/#why-donate"]}},"created_at":"2024-10-16T19:07:51.000Z","updated_at":"2026-03-12T11:33:18.000Z","dependencies_parsed_at":"2024-10-22T07:19:59.163Z","dependency_job_id":null,"html_url":"https://github.com/jenkinsci/secone-security-scanner-plugin","commit_stats":null,"previous_names":["jenkinsci/secone-sca-sast-security-scanner-plugin","jenkinsci/secone-security-scanner-plugin"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/jenkinsci/secone-security-scanner-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fsecone-security-scanner-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fsecone-security-scanner-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fsecone-security-scanner-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fsecone-security-scanner-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jenkinsci","download_url":"https://codeload.github.com/jenkinsci/secone-security-scanner-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fsecone-security-scanner-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30622415,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-17T08:10:05.930Z","status":"ssl_error","status_checked_at":"2026-03-17T08:10:04.972Z","response_time":56,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["devsecops","foss","sast","sca","sec1","secone","security","security-scanner"],"created_at":"2026-03-17T11:00:29.858Z","updated_at":"2026-05-18T15:01:07.640Z","avatar_url":"https://github.com/jenkinsci.png","language":"Java","funding_links":["https://funding.communitybridge.org/projects/jenkins","https://www.jenkins.io/donate/#why-donate"],"categories":[],"sub_categories":[],"readme":"# Sec1 Security Scanner\n\n[![Sec1](https://digitalassets.sec1.io/sec1-logo.svg)](https://sec1.io)\n\n## Introduction\n\nIntegrates Sec1 Security scanning into your CI/CD pipeline, enabling teams to identify vulnerabilities and security issues early in the development lifecycle.\n\n## Usage\nTo use the plugin up you will need to take the following steps in order:\n\n1. [Install the Sec1 Security Plugin](#1-install-the-sec1-security-plugin)\n2. [Configure a Sec1 API Token Credential](#2-configure-a-sec1-api-token-credential)\n3. [Add Sec1 Security to your Project](#3-add-sec1-security-to-your-project)\n\n## 1. Install the SEC1 Security Scanner Plugin\n\n- Go to \"Manage Jenkins\" \u003e \"System Configuration\" \u003e \"Plugins\".\n- Search for \"Sec1 Security Scanner\" under \"Available plugins\".\n- Install the plugin.\n\n### Custom Endpoints\n\nBy default, Sec1 uses the following endpoints:\n- **API endpoint**: `https://api.sec1.io`\n- **Dashboard endpoint**: `https://unified.sec1.io`\n\nIt is possible to configure custom endpoints by setting environment variables:\n\n- Go to \"Manage Jenkins\" \u003e \"System Configuration\" -\u003e \"System\"\n- Under \"Global properties\" check the \"Environment variables\" option\n- Click \"Add\"\n- Set `SEC1_INSTANCE_URL` to override the API endpoint\n- Set `SEC1_DASHBOARD_URL` to override the dashboard endpoint (used for report URLs in build output)\n\n\n## 2. Configure a Sec1 API Token Credential\n\n- Go to \"Manage Jenkins\" \u003e \"Security\" \u003e \"Credentials\"\n- Choose a Store\n- Choose a Domain\n- Go to \"Add Credentials\"\n- Select \"Secret text\"\n- Add `\u003cYOUR_SEC1_API_KEY_ID\u003e` as ID and Configure the Credentials.\n- Remember the \"ID\" as you'll need it when configuring the build step.\n\nTo get `Sec1 Api Key` navigate to [My Account](https://account.sec1.io/) \u003e \"Login with GitHub\" \u003e Click on profile icon at top right \u003e \"Settings\"  \n- In \"API key\" section, click on \"Generate API key\"\n- Copy key for use.\n\n\u003cblockquote\u003e\n\u003cdetails\u003e\n\u003csummary\u003e📷 Show Preview\u003c/summary\u003e\n\n![Sec1 API Token](docs/sec1-configuration-api-key.png)\n\n\u003c/details\u003e\n\u003c/blockquote\u003e\n\n## 3. Add Sec1 Security to your Project\n\nThis step will depend on if you're using Freestyle Projects or Pipeline Projects.\n\n### Freestyle Projects\n\n- Select a project\n- Go to \"Configure\"\n- Under \"Build\", select \"Add build step\" select \"Execute Sec1 Security Scanner\"\n- Configure as needed. Click the \"?\" icons for more information about each option.\n\n\u003cblockquote\u003e\n\u003cdetails\u003e\n\u003csummary\u003e📷 Show Preview\u003c/summary\u003e\n\n![Basic configuration](docs/sec1-buildstep.png)\n\n\u003c/details\u003e\n\u003c/blockquote\u003e\n\n### Pipeline Projects\n\nUse the `sec1Security` step as part of your pipeline script. You can use the \"Snippet Generator\" to generate the code\nfrom a web form and copy it into your pipeline.\n\n\u003cblockquote\u003e\n\u003cdetails\u003e\n\u003csummary\u003e📷 Show Example\u003c/summary\u003e\n\n```groovy\npipeline {\n  agent any\n\n  stages {\n    stage('Build') {\n      steps {\n        echo 'Building...'\n      }\n    }\n    stage('Sec1 Security Scan') {\n      steps {\n        script {\n          sec1Security(\n            apiCredentialsId: '\u003cYour Sec1 Api Key ID\u003e',\n            scmUrl: 'https://github.com/your-org/your-repo',\n            runSca: true,\n            runSast: true,\n            sastIncrementalScan: false,\n            asyncScan: false,\n            scanTag: 'my-scan-tag',\n            applyThreshold: true,\n            actionOnThresholdBreached: 'unstable',\n            threshold: [criticalThreshold: '0', highThreshold: '0', mediumThreshold: '0', lowThreshold: '0']\n          )\n        }\n      }\n    }\n    stage('Deploy') {\n      steps {\n        echo 'Deploying...'\n      }\n    }\n  }\n}\n```\n\n\u003c/details\u003e\n\u003c/blockquote\u003e\nYou can pass the following parameters to your `sec1Security` step.\n\n#### `apiCredentialsId` (required, default: *none*)\n\nSec1 API Key Credential ID. As configured in \"[2. Configure a Sec1 API Token Credential](#2-configure-a-sec1-api-token-credential)\".\n\n#### `scmUrl` (optional, default: *auto-detected*)\n\nGit repository URL to scan. If not provided, the plugin attempts to detect it from the workspace `.git/config` or the `GIT_URL` environment variable. Use this parameter when auto-detection fails (e.g., on some pipeline configurations).\n\n#### `runSca` (optional, default: `true`)\n\nWhether SCA (Software Composition Analysis) scan needs to be executed for the configured git repository.\n\n#### `runSast` (optional, default: `true`)\n\nWhether SAST (Static Application Security Testing) scan needs to be executed for the configured git repository.\n\n#### `sastIncrementalScan` (optional, default: `false`)\n\nRun the SAST scan in incremental mode. Only changed code is analyzed, which is faster for large repositories. Requires a baseline full scan to exist on the Sec1 server.\n\n#### `asyncScan` (optional, default: `false`)\n\nFire-and-forget mode. The plugin submits the scan and exits without waiting for the result, so the pipeline keeps running while the scan completes on the Sec1 server. The report URL is printed in the build log.\n\nIf `applyThreshold` is also `true`, the plugin still polls for the result since threshold checks need the final counts. Use `asyncScan` without `applyThreshold` to get true fire-and-forget behavior.\n\n#### `scanTag` (optional, default: *branch name*)\n\nA tag to identify this scan. If not provided, the branch name is used. If the branch name is also unavailable, defaults to `default`.\n\n#### `applyThreshold` (optional, default: `false`)\n\nWhether vulnerability threshold needs to be applied on the build.\n\n#### `threshold` (optional, default: *none*)\n\nThreshold values for each type of vulnerability. Example configuration:\n`[criticalThreshold: '0', highThreshold: '10', mediumThreshold: '0', lowThreshold: '0']`\n\nIf the scan reports more vulnerabilities than the configured threshold for the respective severity, an error will be shown in the console and the build status will be modified based on `actionOnThresholdBreached`.\n\n#### `actionOnThresholdBreached` (optional, default: `fail`)\n\nThe action to take on the build if a vulnerability threshold is breached. Possible values: `fail`, `unstable`, `continue`\n\n## Scan duration\n\nThe plugin polls every 10 seconds for the scan result and times out after 30 minutes. For scans that take longer, set `asyncScan: true` (without `applyThreshold`) so the pipeline does not block.\n\n## Troubleshooting\n\nTo see more information on your steps:\n\n- View the \"Console Output\" for a specific build.\n\n---\n\n-- Sec1 team\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkinsci%2Fsecone-security-scanner-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjenkinsci%2Fsecone-security-scanner-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkinsci%2Fsecone-security-scanner-plugin/lists"}